Category
📚
LearningTranscript
00:00Alright guys, so we're going to set up a simple enough login endpoint, we're not going to
00:05put in all of the missing pieces just yet, but we need to do enough that we can understand
00:11how we would receive the login information, and then at least what we would do to validate
00:16it against the data store, right.
00:19So let us continue our endpoint additions here.
00:24And we're going to introduce a few new data types as well.
00:28I will mention them as we go along.
00:30So we're creating a new post endpoint, and I'm just going to simply call it slash login.
00:36And from this one, we are going to let me just create the delegate section first.
00:45But what we're going to have is a few injections, right.
00:50So first of all, we should expect some credentials.
00:54And based on how we've handled data before, we know that we can easily create something
01:00that looks like what's a data type, or some form of DTO data transfer object that will
01:08transport the data for us, right.
01:10So here, I'm going to say login, let's say DTO, right, it's not a data type that is created
01:17just yet.
01:18So we're going to create it on the fly.
01:19So we have this new type called login DTO control dot, and I will just generate the
01:25type below, right, I will just generate it in the same minimal file.
01:30That's one of the advantages to minimal API is you can just put everything in one place,
01:35right?
01:36I'll move it, however, until after the app dot run.
01:41And this login DTO is going to have a username and password, because generally speaking,
01:48that's what we need for more users, right username and password.
01:54So we have the login DTO that we have included, we're going to need probably some access to
02:01the DB context.
02:03But more interestingly, we will have access to this new library called user manager.
02:12So when I add the user manager, that is just an injection, right?
02:17And this user manager is actually the built in library that allows us to manipulate to
02:23do certain user related operations without even needing to go to the DB context, right?
02:29So generally speaking, when we do queries, you say DB context dot table dot do whatever
02:35you want to do, you know, you say DB context dot find cars by the ID.
02:41And if that's the way you're thinking you'd find the user, you're not entirely you're
02:44not incorrect by any means.
02:47However, the user manager has the built in method that executes the query for you in
02:52the most efficient manner.
02:53So you don't have to sit down and think about the query to get the user by email, etc.
02:59User manager has that built in.
03:00So what do I mean by that I can now easily say var user is equal to and then I can await
03:08the user manager who now can go and find by email async, right?
03:17Because, well, I am asking for username password, so I can find by email, I do believe that
03:26there's also a find by username, get sorry, sometimes I just type in the method and scroll
03:34to see if I can find anything like that.
03:38But it doesn't seem to have a find by username.
03:41If we do find you see find by email, find by login, which is different because that
03:49uses external and find by name, which is the one that takes username.
03:53There we go.
03:54So you can do find by name async.
03:57And then you pass in the username that came in through the login detail.
04:01So it will go off, look in the user tables and find the user record with that username.
04:08Right now, we can always check if the user is null.
04:14If nothing came back, that means the username you provided is incorrect.
04:20So if it is null, then we return results.
04:25That's unauthorized, right?
04:30So what we don't want to do is give the calling client too many clues.
04:35If it was the username, that's wrong.
04:37I don't need to tell you, oh, I'm sorry, your username was wrong.
04:40I'm just going to tell you, you're unauthorized.
04:42You tried something, didn't work.
04:44I'm sorry.
04:44Try again, right?
04:46Well, I'm not going to give you details because the more details is the more somebody who
04:50might be malicious can figure out what might be wrong when they're trying to log in with
04:55an account that's not necessarily theirs, right?
04:58So we do this.
05:00If the user is null, then we return unauthorized.
05:04Then after we validate that the username might be accurate, what I can do is validate if
05:12and I'll just say var is valid password, right?
05:18And then I can say await user manager and the check password async for the user that
05:28was retrieved and the password that was provided through the login ETL, right?
05:38So the combination of these checks now will make sure that one, I'm not going to go much
05:45further than I need to.
05:48If the username is wrong, if the username was found, was the password for said username
05:54correct, right?
05:55And then I can once again say, and this is just going to return a Boolean.
05:59So because what happens is that APIs are stateless.
06:02So it's not like I'm going to log you into the system.
06:05This is just me checking.
06:06Are you in the system, right?
06:08Because this will be the mobile app sending over credentials and asking the API, is this
06:16user valid?
06:17You tell me, because I'm relying on your system for my data.
06:20So I'm just going to say, if the credentials, if the password is not valid, then we also
06:29return unauthorized.
06:30So if the username is wrong or the combination is wrong, either way, I'm just sending you
06:35back a 401.
06:37You can figure out the rest afterwards.
06:40Now, if it moves beyond that point, then what we would want to do is generate something
06:46called an access token.
06:49We'll be doing that at a later point.
06:51So I'm just putting the placeholder there.
06:53So you get an idea.
06:54And then when we generate this access token, then we will generate a response.
06:59So I'm just going to say var response is equal to and introduce another data type that we're
07:05about to define.
07:06So I'll just call it auth response DTO.
07:10All right.
07:11And then this auth response DTO, I will just generate that class below once again.
07:19And then this new data type is going to have, well, it can have whatever information you
07:26want it to have in the sense that you could put in the user ID, the username if you wanted
07:32to.
07:33But most importantly, we need to include that access token.
07:37Right.
07:37So the same access token that we generate here is what I would include in that auth
07:42response.
07:43So we would send back that token to the mobile client so that it now can store it and reuse
07:49it for all subsequent requests.
07:51Because once again, we're hardening or securing our API.
07:55So that means that if you don't provide a token by the time we're done here, no endpoint
08:00should be easy to reach unless you provide a token, especially the ones that are doing
08:05like the manipulation, the put and the delete and the post.
08:08Maybe you can look at the cars without being authenticated, but you definitely can't
08:14manipulate them if you're not authenticated.
08:16Stuff like that.
08:16Right.
08:18So all of that to say what we will return here would be the user ID.
08:25So I can say user ID is equal to the user that we retrieved the ID that they have.
08:32I could say the username username is equal to the user username that we found on record.
08:42And then token will just put a placeholder access token here.
08:49Right.
08:49So when we go through the process of generating the access token, of course, that's what
08:53we'll put here.
08:54And then after doing all of that, then we want to return results that I can do.
09:03OK, you could look through to see if there is any more appropriate one.
09:07But I think OK is fine.
09:11You could.
09:12Yeah, I think OK is fine.
09:14So we can just return OK and pass in that response.
09:20And that's it.
09:21So that's our login endpoint.
09:22So once again, when we get the credentials and we have injected our user manager, we're
09:29going to go and fetch the user, do some checks to make sure that the user is who they say
09:35they are.
09:35If not, we just tell them that they're unauthorized.
09:38But then if everything checks out, then we generate an access token.
09:43And then we return a response letting you know that, yes, you have gained access to
09:47the system successfully.
09:49So now we're going to go back to our .NET MAUI app and we're going to design a page
09:53that will allow us to enter credentials and at least click send and at least have the
10:01API call to the login endpoint.
10:03Of course, there is no data.
10:05There is no user data currently.
10:06So certain things won't work, but we're inching towards it.